On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389 \
-b dc=domain,dc=tld -D ... -W \
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
return the user?
yes it does. The authentication with AD works as it should as long as
dovecot is pointing to the right OU.
How many domain controllers to you have in the AD? Which of them holds
which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are
getting off track here. There is no problem with authentication. Maybe I
need to be more clear.
Dovecot is able to authenticate with active directory as long as the
"base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to
the OU that the dovecot users are. However, I have another OU where my
Exchange users are. So, when I try to send email from a dovecot user to
an Exchange user, dovecot throws the error "user unknown" because it's
not able to find the Exchange user since it's in a different OU. When I
set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain
root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether
